Hafnium Attack Exploits On-premise Microsoft Exchange Servers

March 4, 2021
John Mancini
Principal Product Management at Vectra AI
Hafnium Attack Exploits On-premise Microsoft Exchange Servers

On Tuesday March 2nd, Microsoft Threat Intelligence Center (MTIC) disclosed details on a campaign being called Hafnium that is targeting on-premises Microsoft Exchange Servers. The attack leverages several 0-day exploits in Exchange and allows the attackers to bypass authentication, including multi-factor authentication (MFA) to access e-mail accounts within targeted organizations and remotely execute malware on vulnerable Microsoft Exchange servers and facilitate long-term access.

The attack started with a global scan for any vulnerable external facing Microsoft Exchange servers. When a server of interest was identified, the attackers leveraged a zero-day server-side request forgery (SSRF) remote exploit to upload a web shell known as China Chopper. This web shell allowed attackers to steal email data and potentially move deeper into the network environment.

It should be noted that is vulnerability does not appear to impact Microsoft Office 365.

Vectra customers with Detect should review any detections associated with their Exchange servers. The reverse shell documented in the attacks will trigger an External Remote Access detection and exfiltration of data from the exchange server over that channel will trigger a Smash & Grab alert. Any signs of internal reconnaissance or lateral movement from the Exchange server should be reviewed carefully, as these alerts would indicate attacker movement deeper into the network.

Detecting Hafnium:remote access detection

Vectra customers with Recall or Stream should review connections to and from their Exchange server. In instances where Vectra sensors have visibility into out-to-in traffic to their Exchange servers, teams should check for connection attempts from any of the following IPs: 165.232.154.116, 157.230.221.198, and 161.35.45.41. Use the below queries to find potentially impacted hosts. 

{

 "query": {

   "bool":{

    "should": [

       {

        "match_phrase": {

          "id.orig_h": "165.232.154.116"

         }

       },

       {

        "match_phrase": {

          "id.orig_h": "157.230.221.198"

         }

       },

       {

        "match_phrase": {

          "id.orig_h": "161.35.45.41"

         }

       }

     ],

    "minimum_should_match": 1

   }

 }

}

As always, Vectra recommends that customers update their Exchange servers with the available patches from Microsoft as soon as possible, or limit the external access to these Exchange servers until a patch can be applied.

To learn more how Vectra can help you if you think you may have been compromised by the breach, schedule a demo to see how Vectra can detect and stop attacks like these in your organization or contact us.

FAQs